Retry auth once without local options

Hack around picky server implementations.

Fixes #95

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## Unreleased
+
+### Fixed
+
+- Authentication failure due to local options. [#95](https://github.com/keeshux/tunnelkit/issues/95)
+
 ## 1.7.0 (2019-04-28)
 
 ### Changed

TunnelKit/Sources/Core/SessionProxy+Authenticator.swift

@@ -66,6 +66,8 @@ extension SessionProxy {
         
         let password: ZeroingData?
         
+        var withLocalOptions: Bool
+        
         init(_ username: String?, _ password: String?) throws {
             preMaster = try SecureRandom.safeData(length: CoreConfiguration.preMasterLength)
             random1 = try SecureRandom.safeData(length: CoreConfiguration.randomLength)
@@ -80,6 +82,8 @@ extension SessionProxy {
                 self.password = nil
             }
             
+            withLocalOptions = true
+            
             controlBuffer = Z()
         }
         
@@ -95,11 +99,12 @@ extension SessionProxy {
             raw.append(random2)
             
             // options string
+            let optsString: String
+            if withLocalOptions {
                 var opts = [
                     "V4",
                     "dev-type tun"
                 ]
-            //////
                 if let comp = options.compressionFraming {
                     switch comp {
                     case .compLZO:
@@ -123,7 +128,10 @@ extension SessionProxy {
                 }
                 opts.append("key-method 2")
                 opts.append("tls-client")
-            let optsString = opts.joined(separator: ",")
+                optsString = opts.joined(separator: ",")
+            } else {
+                optsString = "V0 UNDEF"
+            }
             log.debug("TLS.auth: Local options: \(optsString)")
             raw.appendSized(Z(optsString, nullTerminated: true))
             

TunnelKit/Sources/Core/SessionProxy.swift

@@ -106,6 +106,8 @@ public class SessionProxy {
 
     private var tlsObserver: NSObjectProtocol?
     
+    private var withLocalOptions: Bool
+
     private var keys: [UInt8: SessionKey]
 
     private var oldKeys: [SessionKey]
@@ -190,6 +192,7 @@ public class SessionProxy {
         self.configuration = configuration
         self.cachesURL = cachesURL
 
+        withLocalOptions = true
         keys = [:]
         oldKeys = []
         negotiationKeyIdx = 0
@@ -676,6 +679,7 @@ public class SessionProxy {
         
         do {
             authenticator = try Authenticator(credentials?.username, pushReply?.options.authToken ?? credentials?.password)
+            authenticator?.withLocalOptions = withLocalOptions
             try authenticator?.putAuth(into: negotiationKey.tls, options: configuration)
         } catch let e {
             deferStop(.shutdown, e)
@@ -908,6 +912,15 @@ public class SessionProxy {
     // Ruby: handle_ctrl_msg
     private func handleControlMessage(_ message: String) {
         guard !message.hasPrefix("AUTH_FAILED") else {
+
+            // XXX: retry without client options
+            if authenticator?.withLocalOptions ?? false {
+                log.warning("Authentication failure, retrying without local options")
+                withLocalOptions = false
+                deferStop(.reconnect, SessionError.badCredentials)
+                return
+            }
+
             deferStop(.shutdown, SessionError.badCredentials)
             return
         }